Merge pull request #4728 from laanwj/2014_08_rpcserver_password_delay

Don't reveal whether password is <20 or >20 characters in RPC
pull/4731/head
Gavin Andresen 10 years ago
commit 10dcbc1be0

@ -849,10 +849,9 @@ static bool HTTPReq_JSONRPC(AcceptedConnection *conn,
if (!HTTPAuthorized(mapHeaders))
{
LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", conn->peer_address_to_string());
/* Deter brute-forcing short passwords.
/* Deter brute-forcing
If this results in a DoS the user really
shouldn't have their RPC port exposed. */
if (mapArgs["-rpcpassword"].size() < 20)
MilliSleep(250);
conn->stream() << HTTPError(HTTP_UNAUTHORIZED, false) << std::flush;

Loading…
Cancel
Save